How do I configure NAT rules when using ASA IP-SLA when leveraging post-ASA-8.3 NAT syntax?

Question

We are currently running ASA9 at a location with redundant ip connectivity. We'd love to configure ip sla so that internet access survives a single carrier outage. I'm aware of the ip sla commands, however when I've tried to prepopulate the required NAT rules, the addition of the second rule will overwrite the first. Here is an example:

object network NYHQ_GUESTWIRELESS_10.110.6.0_24
 nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_FIOS) dynamic interface

When I attempt to add an additional nat rule, perhaps

nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_COGENT) dynamic interface

The new rule overwrites the preexisting rule, as so:

object network NYHQ_GUESTWIRELESS_10.110.6.0_24
 nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_COGENT) dynamic interface

Is there any way that I can have both of these rules in place so that NAT can cooperate with our SLA rules to ensure that regardless of which provider is used, NAT still works properly?

Answer 1

The way that we deal with this is to create an separate object group for interface that we want to have redundant connectivity to, it is a little messy but it should work for what you need.

So you would have a FIOS object

object network FIOS_NYHQ_GUESTWIRELESS_10.110.6.0_24
    nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_FIOS) dynamic interface

and a Cogent object

object network COGENT_NYHQ_GUESTWIRELESS_10.110.6.0_24
    nat (NYHQ-GUESTWIRELESS,NYHQ-OUTSIDE_COGENT) dynamic interface

And you should be all set.

It is a pain if you have multiple servers and multiple upstreams, but it works for us. I am sure there is a more streamlined solution and am interested in what others are doing to solve this issue.